Last week, there was ample coverage of the SK Comms data breach, which involved one of the more popular service providers in South Korea that offers social networking and instant-messaging (IM) as well as mobile phone services. The breach affected the user accounts of the NATE portal and Cyworld, both SK Comms offerings.

Within the same week, we also found a malware that may be related to the particular incident. The said backdoor, which we detect as BKDR_SOGU.A (with the SHA1 hash 1733217aa852957269cd201f6cf53ef314e86897), connects to {BLOCKED}n.duamlive.com, its C&C server. The C&C server communicates with the remote infected system via HTTP POST in order to send and receive commands from a remote malicious user. As of this writing, this URL is already inaccessible.

One notable routine of this backdoor is its capability to access a specific database in infected systems in order to fetch and collect data from the said database. This routine was done using several ODBC APIs such as SQLAllocHandle, SQLDriverConnect, SQLNumResultCols, SQLFetch, and SQLExecDirect. The figures below show the code disassembly of how the malware uses the said APIs.

The database the backdoor accesses and the types of information it gathers are defined based on the parameters the remote server provides. Other backdoor routines (e.g., enumerating registry values or listing files in a specified directory) may be able to provide such data as well.

So far, nothing in the code suggests that it was solely and specifically created for certain attacks. In fact, it may be used and reused as long as the malware is not detected by the network’s security software. As we stated before, attacks against large corporations do not always require highly sophisticated malware technologies but a combination of ingenious use of other techniques (e.g., exploiting known vulnerabilities, social engineering, etc.) that can lead to a successful targeted attack.